On Mon, 1 Dec 2003 12:44:26 +0000, Martin Brown wrote:

...Anything I bounce goes back to the
address in the return path complete with all the spammers forged
headers. It is then up to the unfortunate on the receiving end to decode
them and complain about the forgery to the spammers ISP or more likely
the dumb sysop with the open mail relay (or his ISP).

That kind of "bounce" is worse than useless and merely aggravates
the problems caused by spam. Stop it right now.

[If I'm repeating myself in what follows, apologies.]

There are two distinct types of e-mail bounces:

1. The kind you describe, where the entire message is received by
a POP server, then forwarded, either by the server or by an
e-mail program under user control, to the address in the
"Return-path:" header. This is what's described above.

2. The other kind is where the destination SMTP/POP server
refuses to accept a message and returns an error code to the
originating SMTP server. This is what you get if you send e-mail
to a non-existent address.

It sounds like lots of people don't understand how e-mails are
sent. They are in three parts, which are transmitted in this
order:

1. The "envelope", which says who the message is for. This is
normally invisible to the end recipient because it is stripped
off by most POP servers. The envelope may also contain the size
of the message within and a small amount of other data.

2. The "headers", starting with "Received:" headers, most recent
first. Every server that a given e-mail passes through adds a
"Received:" header at the front. The headers usually include a
"From:", "To:", and "Subject:" headers, among others. Return-path
is among these.

3. Finally, separated by a blank line from the headers, the body
of the message.

Items 2 and 3 constitute the "message".

The key thing to understand is that the headers (item 2) may have
nothing to do with anything; they can all be complete forgeries
with the solitary exception of the most recent (first in line)
Received: header. If I send someone an e-mail and BCC (blind
carbon copy) it to someone else, the primary recipient cannot
tell that a copy went to the BCC recipient. Also, the headers in
the BCC copy will show the primary recipient in the To: header.
The only place the BCC recipient's e-mail address is shown is in
the envelope.

Spammers usually (I was going to write invariably) forge the
headers. It takes considerable skill and experience to reliably
sort out the truth from all the lies. In particular, From: and
Return-path: are very likely forged; the spammer really does not
care what happens to a message once it is fired off into the
ether.

While we wait for effective anti-spam legislation to be brought
in, the only bounces that do any good are those based on the
envelopes. But I have yet to hear of anti-spam software that
operates on the fly as a message trickles in. It is conceptually
possible to write software that would look at the identity of the
transmitting server (itself forge-able) and the target address
and block further transmission by emitting an error message.

Moreover, when a spam uses an intermediate server, such a bounce
will never get back to the spammer. He doesn't care! However, it
will reduce the bandwidth spam consumes by allowing the
transmitting server not bother with the headers and body. Whether
the transmitting server then tries to pass the error message
backwards to wherever it received the spam from depends on the
server software there.

The upshot of this is that anti-spam software that operates after
the entire message is received should not bother "bouncing"
anything. It's a total waste of time in almost all cases. The
best you can expect is to either delete identified spam or mark
is as spam so at least the end recipient doesn't have to download
it from the pop server. Since the final connection in the chain
is often a slow dial-up connection, this can save a lot of
connect time, but the spam has already chewed up *internet*
bandwidth and done its best to clog the recipient mailbox.

But whatever you do, don't "bounce" spam on the basis of the
headers. You're merely causing someone else, probably an
innocent, trouble. If you want, you can analyze the Received
headers and notify sysadmins that either they are harboring a
spammer or that they are running an open mail server used as a
relay.

If you are really a masochist, you can open the spam, access the
web pages, and see if you can figure out where your money would
go.

But remember where the profits are in spamming: not in the
businesses that advertise using spam, but in the business of
sending spam on behalf of idiots.

Sorry for the very long and very off-topic message, but there are
evidently considerable misunderstandings about e-mail operation
and people are responding to spam in counter-productive ways.




--
Rodger Whitlock
Victoria, British Columbia, Canada
[change "atlantic" to "pacific" and
"invalid" to "net" to reply by email]